[Palo Alto Networks Security Advisories] CVE-2025-4230 PAN-OS: Authenticated Admin Command Injection VulnerabilityThrough CLI
Palo Alto Networks Security Advisories /CVE-2025-4230
CVE-2025-4230 PAN-OS: Authenticated Admin Command Injection Vulnerability Through CLI
Description
A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI.
The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.Cloud NGFW and Prisma® Access are not affected by this vulnerability.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.2 | < 11.2.6 | >= 11.2.6 |
| PAN-OS 11.1 | < 11.1.10 | >= 11.1.10 |
| PAN-OS 10.2 | < 10.2.14 | >= 10.2.14 |
| PAN-OS 10.1 | < 10.1.14-h15 | >= 10.1.14-h15 |
| Prisma Access | None | All |
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity:MEDIUM, Suggested Urgency:MODERATE
CVSS-BT:5.7 /CVSS-B:8.4 (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/R:U/V:D/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW All | No action needed. | |
| PAN-OS 11.2 | 11.2.0 through 11.2.5 | Upgrade to 11.2.6 or later. |
| PAN-OS 11.1 | 11.1.0 through 11.1.9 | Upgrade to 11.1.10 or later. |
| PAN-OS 10.2 | 10.2.0 through 10.2.13 | Upgrade to 10.2.14 or later. |
| PAN-OS 10.1 | 10.1.0 through 10.1.14 | Upgrade to 10.1.14-h15 or later. |
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access All | No action needed. |
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:*
Timeline
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
